I've been making some progress learning about web application security. Right now I'm trying to finalize my strategy for sanitizing input and output.

Background: Users can submit reviews to the site, and those reviews are displayed in certain views.

1) Posting Data. When posting data (using $this->input->post('review')), I'm concerned about using the XSS filter, because it removes the user data, and it's not possible to retrieve it, so I'm looking for another way to validate the input.

2 Answers
2

I recommend reading through the resources that OWASP has available. This is a totally standard subject, and there's a lot written on it.

Make sure you do the input validation on the server. Don't trust the client to do input validation, since the client can be bypassed.

Input validation: The nature of input validation you do depends upon the type and expected range of possible values for the field. Usually you'll end up constructing a whitelist of allowed characters and checking that the input contains only those characters; or writing a regexp that characterizes valid inputs and checking against the regexp. This will likely be different for each input, because it needs to depend upon the type and expected range of values for that input.

You should combine input validation with output escaping. The proper form of output escaping depends upon where the data is being inserted into the output. For example, if you are interpolating data into a HTML document in between tags, then use htmlspecialchars to escape the data before inserting it into the HTML document (to prevent cross-site scripting). On the other hand, if you are inserting a URL, you also need to check that it uses one of a whitelisted set of protocols (e.g., http:, https:; but not javascript:).

Appreciate your response. Actually I am reading through OWASP's paper on this topic--you recommended it--and I'm reading several other articles, too. Realizing that every input validation will need to be customized, and that most of my inputs fall into categories, I'm just trying to get a sense of whether there is something standard. As a front-end developer and designer, and only a few days into learning about application security, it makes it kind of tough to make final decisions based on reading without experience to rely on.
–
chowwyMay 13 '12 at 13:49

@chowwy, "I'm just trying to get a sense of whether there is something standard" - Good question! OWASP ESAPI is one standard framework, which provides developers with APIs to assist with input validation and output escaping.
–
D.W.May 13 '12 at 21:16

Thanks, I didn't know that. Accepted and upvoted. And as a side note, I'm currently only doing server-side validation of data with Codeigniter's form validation. I may add client-side (jQuery/JS) at some point later. Security first!
–
chowwyMay 14 '12 at 15:35

Regarding your #1, you can always get the posted value and apply functions after. There is two possibilities you can use (but there is certainly more) :

Using PHP built-in filters, mostly FILTER_SANITIZE_STRING that will protect your string for sure.

You can use HTML Purifier. It will protect you agains't XSS without removing your user's data.

Now, it really depends on what you do with those submitted data. If it's just for an ID to be verified as an Integer, the filter_var with a validator flag will suffice. If you don't want your user to submit html for a review, I would go for a htmlspecialchars(), either on the server side (before adding in the database), or on the view side (when showing the string, aka #3).

#2 : You did it correctly. Nothing to add ;)

#3 : As @D.W. answered it perfectly, htmlspecialchars() should be the best for HTML outputting, and adapting what you output regarding where you output it (url, json, xml/html, etc).